Unstructured CCSP study notes
I highly recommend reading cromwell-intl.com - Cybersecurity / ISC2-CCSP for further notes.
Business Requirements Analysis
- Inventory of Assets
- Surveys, audits, interviews, automation, etc
- Valuation of Assets
- Do not put a $10 lock on a $5 bicycle
- Data owner is the business manager in charge of the data
- Determination of Criticality
- Tangible assets - Cars in a Car Rental Agency
- Intangible assets - Music copyright for a Label
- Processes - Register failure in a fast food restaurant
- Data paths - Logistical coordination, Cargo to Carriers
- Personnel - Surgeon in a surgery
- Identify Single Points of Failure (SPOF)
Criticality - SPOFs
SPOF - Single Point of Failure
- Not all SPOFs are part of critical assets
- Any chokepoint in a process, procedure or production chain
- Solutions
- Add redundancies in case of failure
- Create alternative processes in case of failure
- Cross training personnel to handle multiple roles
- Consistent and thorough data backup with quick restore
- Load sharing/balancing for IT assets
Various
- Virtual sprawl / virtualization sprawl
Data Dispersion
- Data dispersion permits data to be replicated throughout a distributed storage infrastructure through policy
- Dispersion is automated
- Dispersion increased Availability
- Chunking : storing multidimensional data in multi-dimensional rectangular chunks to speed up slow accesses at the cost of slowing down fast accesses
- Programs that access chunked data can be oblivious to whether or how chunking is used.
Data Lifecycle Stages
Data States
Data can exist in the following states, each of which requires different security controls.
Formal term | Meaning |
---|---|
In transit | On the wire, in flight |
At rest | On disk, in storage |
In use | In memory (RAM, CPU cache, etc) |
Actors
Data subject | An individual who is the focus of personal data |
Data owner | Holds the legal rights and complete control over a single piece of data elements. The data owner also can define distribution and associated policies |
Data controller | A person who alone or jointly with others determines the purposes for which and the manner in which any personal data is processed |
Data processor | Any person other than an employee of the data controller who processes the data on behalf of the data controller |
Data steward | Responsible for data content, context, and business rules |
Data custodian | Responsible for safe custody, transport, and storage of data, and implementation of business rules |
- Custodian is responsible for technical controls (CIA, audit trails, etc)
- Steward is responsible for business controls (metadata, governance, compliance)
Various
- Data dispersal in the cloud
Uptime Institute
Data Center Site Infrastructure Tier Standard Topology
Feature | Tier I | Tier II | Tier III | Tier IV |
---|---|---|---|---|
Active components supporting load | N | N+1 | N+1 | 2N or 2N + 1 |
Distribution paths | 1 | 1 | 1 active, 1 alternate | 2 active |
Concurrently maintainable | — | — | Yes | Yes |
Fault tolerant | — | — | — | Yes |
Compartmentalization | — | — | — | Yes |
Continuous cooling | — | — | — | Yes |
- Tier I: Basic Data Center Site Infrastructure
- Tier II: Redundant Site Infrastructure Capacity Components
- Tier III: Concurrently Maintainable Site Infrastructure
- Tier IV: Fault-Tolerant Site Infrastructure
Datacenter considerations
- 12 hours of fuel for all four tiers
- Raised floor height at least 24 inch (= ~60.96 cm)
Environmental controls
min | max | |
---|---|---|
Temperature | 18 °C/ 64.4 °F | 27 °C / 80.6 °F |
Humidity | 40% | 60% |
Datacenter physical design
- Security redundancy is in layers, not repetition
- Driveways that wind and curve, include bollards
- Guest access through a controlled access point
- Placement of hazardous or vital components away from personnel or vehicles
- Interior physical access controls (badging, keys, turnstiles, etc)
- Specific physical protections for sensitive assets (safes, etc)
- Inventory tracking mechanisms (RFID etc)
- Fire detection and suppression systems
- Sufficient power for all functions in the event of power disruption
Threat modeling - STRIDE
Promoted and further developed by Microsoft. Describes threats by attributes.
- Spoofing - Impersonation (e.g. IP or user)
- Tampering - With data inputs, outputs or stored
- Repudiation - Inability to deny action compromised
- Information Disclosure - Data leakage or breach
- Denial of Service - Loss of Availability
- Elevation of Privilege - Raise user privilege above authorized level
Testing
- SAST - Static Application Security Testing
- White-box test, source available, no execution
- Example, null pointer dereference, quality issues
- DAST - Dynamic Application Security Testing
- Black-box test, examination at runtime
- Example, environment configuration, protocol parsing issues
ISO 27034-1 Standards for Secure App Development
ONF (Organization Normative Framework) is essentially organizational or Company guidelines/matrix/repository on securing applications controls and process.
ANF (Application Normative Framework) is a subset or mapping of the ONF that contains the information specific to an application.
ONF has many ANFs, each ANF only one ONF
SDLC Phases
SDLC (CCSP) | NIST SP 800-64 | NIST SP 800-160 | |
---|---|---|---|
1. | Defining | Initiation | Concept |
2. | Designing | Development | Development |
3. | Developing | Implementation | Production |
4. | Testing | Operation | Utilization |
5. | Secure Operations | Support | |
6. | Disposal | Disposal | Retirement |
- Material refers to NIST SP 800-64, this has been superceded by NIST SP 800-160 Systems Security Engineering
OWASP Top-10
2013 | 2017 | |
---|---|---|
1 | Injection | Injection |
2 | Broken Authentication and Session Mgmt | Broken Authentication |
3 | Cross-Site Scripting (XSS) | Sensitive Data Exposure |
4 | Insecure direct object references | XML External Entities |
5 | Security Misconfiguration | Broken Access Control |
6 | Sensitive Data Exposure | Security Misconfiguration |
7 | Missing function-level Access Control | Cross-Site Scripting |
8 | Cross-Site Request Forgery (XSRF) | Insecure Deserialization |
9 | Using Components with Known Vulnerabilities | Using Components with Known Vulnerabilities |
10 | Unvalidated Redirects and Forwards | Insufficient Logging & Monitoring |
Multi-tenancy / Resource Sharing
- Reservations - guaranteed minimum resources for tenants
- Limits - guaranteed maximum resources for tenants
- Shares - prioritized distribution of remainder resources after Reservations, up to Limits
Time / Frequency
Time / Frequency Concepts
MAD | Maximum Allowable Downtime | Cannot be down longer than this |
MTD | Maximum Tolerable Downtime | Equivalent to MAD |
RTO | Recovery Time Objective | We want to be back up this soon |
MTTR | Mean Time To Recovery | Average recovery length |
RPO | Recovery Point Objective | We can afford to lose this much. |
MTBF | Mean Time Between Failures | Average failure rate |
RSL | Recovery Service Level | Service level during recovery |
Maintenance Mode
Maintenance Mode is used when changes (updates, configuration) are made to the Operating System in Root/Ring-0 (Hypervisor).
- Disable alerts
- Continue logging
- Customer access (starting new VMs) is blocked
- Live-migrate running VMs to other hosts
- Administrator access only, possibly restricted to physical console
- Follow vendor guidance and best practices
ISO 22237 Protection and Availability Classes
- Protection Class 1: Public or semi-public area.
- Protection Class 2: Accessible to all authorized personnel, employees and visitors.
- Protection Class 3: Restricted to specified employees and visitors, those with access to Class 2 only must be accompanied by Class 3 personnel.
- Protection Class 4: Even stricter, need to demonstrate need for access.
Disaster Recovery / Business Continuity
- Business Continuity efforts - maintaining critical operations during an interruption in service
- Disaster Recovery efforts - resuming operations after an interruption due to disaster
- An event is an unscheduled adverse impact to operations. An event is distinguished from a disaster by its duration
- BIA lists assets (criticality, value, etc), input for BC/DR
BCDR Plan
- A list of items from the Asset Inventory deemed critical
- The circumstances under which an Event or Disaster is declared
- Who is authorised to make the declaration
- Essential point of Contact
- Detailed Actions, Taskss and Activities
BCDR Plan - Notes
- Authorized party also declares cessation of BCDR activities
- This should only be done once there is a high degree of confidence that all safety and health hazards are cleared, operations is back to normal
- Doing this too soon can exacerbate the disaster or create a new one
BCDR Testing
- Tabletop testing, no impact
- Dry run, minor impact
- Full test, major impact
Change Management (CM)
- CM starts with baselining
- Security controls included in the basesline
- Baseline should suit largest number of systems in the organization
- Can have multiple baselines if required
- Continually test baselines to detect deviations
- An adversarial, unresponsive exception process will undermine security
CM process
- CM process is part of an organisation’s governance
CSA - STAR
- Security
- Privacy
OECD - Organization for Economic Cooperation and Development
Privacy and Security Guidelines
Aims to globally protect privacy through a practical, risk-management-based approach. Should follow these principles:
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Security Safeguards
- Openness
GDPR - National laws compliant with EU GDPR
European Free Trade Area (EFTA)
- Switzerland
- Lichtenstein
- Norway
- Iceland
Rest of the world
- Argentina
- Australia — Privacy Act 1988, since 2014 Australian Privacy Principles
- New Zealand
- Japan
- Canada — PIPEDA
- Androrra
- Israel
- Uruguay
GDPR - General Data Protection Regulation
Updated 95/46/EU Privacy Directive to include:
- Consent
- Transfers abroad
- The right to be forgotten
- Access requests
- Home state regulation
- Increased sanctions
- Establishing the role of the data protection officer
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Gramm–Leach–Bliley Act (GLBA)
- Financial Services Modernization Act of 1999
- It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company.
Sarbanes–Oxley Act (Sarbox, SOX)
AKA,
- Public Company Accounting Reform and Investor Protection Act
- Corporate and Auditing Accountability, Responsibility, and Transparency Act
Drove development by American Institute of Certified Public Accountants (AICPA) of,
- SSAE 16 and SOC audit reports
- In technology SaaS companies, the SOC 2 audit is purchased to provide an assurance on various aspects of the software including security, availability, and processing integrity
Preparing for legal actions
- Legal hold When a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and ensure the preservation of relevant documents.
- E-Discovery Any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence.
- Spoliation The intentional or accidental destruction or alteration of data either on “legal hold” or lawfully requested.
- Production Presenting the requested data to the court or requesting party.
e-Discovery Stages
Investigation types (USA)
- Operational in-house
- Civil two parties settle a disagreement in court, just needs over 50% proof (“preponderance of evidence”)
- Criminal jury or judge must find “beyond a reasonable doubt”
Police are constrained by the Fourth Amendment, private citizens are not (unless working as agents of the government). Part of the Bill of Rights. It prohibits unreasonable searches and seizures. In addition, it sets requirements for issuing warrants: warrants must be issued by a judge or magistrate, justified by probable cause, supported by oath or affirmation, and must particularly describe the place to be searched and the persons or things to be seized
Shared responsibility model
Concern | IaaS | PaaS | SaaS |
---|---|---|---|
Governance, Risk, Compliance | Customer | Customer | Customer |
Data Security | Customer | Customer | Customer |
Application Security | Customer | Customer | Shared |
Platform Security | Customer | Shared | Provider |
Infrastructure Security | Shared | Provider | Provider |
Physical Security | Provider | Provider | Provider |
Data Rights Management (DRM)
Mechanisms
- Rudimentary Reference Check
- Online Reference Check
- Local Agent Check
- Presence of Licensed Media
- Support-Based Licensing
Provides
- Persistent Protection
- Dynamic Policy Control
- Automatic Expiration
- Continuous Auditing
- Replication Restrictions
- Remote Rights Revocation
- Might provide more
Federated Identity Management
Technologies used for federated identity include,
- SAML (Security Assertion Markup Language)
- OAuth - Authorization
- OpenID - Authentication
- Security Tokens
- Simple Web Tokens
- JSON Web Tokens
- SAML assertions
- Web Service Specifications
- Windows Identity Foundation
- XACML - Authorization
Various
- SAML — the most commonly used federation. XML-based framework to communicate user authentication, authorization, and attributes. Authentication tokens are digitally signed XML, moved over TLS.
- WS-Federation, federation within the broader WS-Security or WS-* framework.
- OpenID Connect — based on OAuth, lower security.
- OAuth — widely used for web and mobile access. Users can grant websites or applications access to their information on websites, without giving them the passwords.
- Also included in the exam question pool but with less emphasis:
- Shibboleth — heavily used in education settings, based on SAML, open & free
- XACML — eXtensible Access Control Markup Language. It’s an Attribute-Based Access Control system. Attributes associated with a user or action or resource are inputs to the access-control decision.
OpenID
PCI-DSS
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI-SSC).
The standard was created to increase controls around cardholder data to reduce credit card fraud.
Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
PCI-DSS Control objectives
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
PCI-DSS Process
Each requirement/sub-requirement is additionally elaborated into three sections.
- Requirement Declaration
- Testing Processes
- Guidance
PCI-DSS Requirements
- Installing and maintaining a firewall configuration to protect cardholder data
- Changing vendor-supplied defaults for system passwords and other security parameters
- Protecting stored cardholder data
- Encrypting transmission of cardholder data over open, public networks
- Protecting all systems against malware and performing regular updates of anti-virus software
- Developing and maintaining secure systems and applications
- Restricting access to cardholder data to only authorized personnel
- Identifying and authenticating access to system components
- Restricting physical access to cardholder data
- Tracking and monitoring all access to cardholder data and network resources
- Testing security systems and processes regularly
- Maintaining an information security policy for all personnel
PCI-DSS Compliance levels
- Level 1 – Over 6 million transactions annually
- Level 2 – Between 1 and 6 million transactions annually
- Level 3 – Between 20,000 and 1 million transactions annually
- Level 4 – Less than 20,000 transactions annually
Each card issuer maintains their own table of compliance levels.
Tokenization
Format-preserving tokens
Format-preserving tokens maintain the look and feel of the original payment card data. For example:
- Payment Card Number:
4222 2221 2221 2221
- Format Preserving Token:
4222 8765 2345 2221
Non-format-preserving tokens
Non-format preserving tokens don’t resemble the original data and could include both alpha and numeric characters. For example:
- Payment Card Number:
4222 2221 2221 2221
- Non-format Preserving Token:
25c92e13-80f6-415f-9d65-3395a32u0223
System and Organization Controls (SOC)
History
- Statements on Auditing Standards - SAS 70
- Statements on Standards for Attestation Engagements 2011-2017 - SAE 16
- Statements on Standards for Attestation Engagements 2017-now - SAE 18
SOC Overview
Three reports, created by AICPA (American Institute of Certified Public Accountants).
What it reports on | Who uses it | |
---|---|---|
SOC 1 | Internal controls over financial reporting | User auditor and user controller’s office |
SOC 2 | Security, availability, processing integrity, confidentiality or privacy controls | Shared under NDA by management, regulators, etc |
SOC 3 | Security, availability, processing integrity, confidentiality or privacy controls | Shared publicly |
The SOC 1 and SOC 2 reports come in two forms: Type I and Type II.
- Type I reports evaluating whether proper controls are in place at a specific point in time.
- Type II reports are done over a period of time to verify operational efficiency and effectiveness of the controls.
SOC notes
- SOC 1 covers financial controls
- SOC 1 and SOC 2 have Type 1 and Type 2 (1 = point in time, 2 = periodic)
- SOC 2 details should be usable by IT staff, regulators, and business partners
- SOC 2 covers any of the Five Trust Services,
- Security (mostly access control)
- Availability
- Processing Integrity (complete, accurate, timely, authorized)
- Confidentiality
- Privacy
- SOC 3 is a public summary (pass/fail) of SOC 2
Standards and Regulations
Main ISO standards
- 27001 — Defines ISMS
- 27002 — Defines controls and best practices for ISMS
- 27005 — Information security risk management
- 27034 — Application security
- ONF or Organizational Normative Framework
- ANF or Application Normative Framework
- 28000 — Supply chain (and other 2800*)
- 31000 — Risk management framework
FIPS 140-2
NIST issued the FIPS 140 series to coordinate the requirements and standards for cryptography modules that include both hardware and software components.
Level | Description |
---|---|
Level 1 | No physical requirements |
Level 2 | Tamper-evident |
Level 3 | Tamper-resistant |
Level 4 | Tamper-responsive |
FIPS 140-2 is a requirements document that sets the minimum strength level for data encryption used in Sensitive But Unclassified (SBU) USA/Federal operating environments.
Common Criteria
Assurance levels
EAL1 | Functional | Tested |
EAL2 | Structural | Tested |
EAL3 | Methodical | Tested and Checked |
EAL4 | Methodical | Designed, Tested and Reviewed |
EAL5 | Semiformal | Designed and Tested |
EAL6 | Semiformal | Verified Design and Tested |
EAL7 | Formal | Verified Design and Tested |
IAM - Identity
IAM - Components
IAM - Functionality
- Identity Management
- Provisioning is the first phase
- Access Management
- Authentication
- Authorization
- Policy Management
- Federation
- Built on SAML
- WS-Federation
- OAuth
- OpenID Connect
- Identity Repositories
- X.500, LDAP, AD, Metadata replication
SIM, SEM, SIEM
- SIM Security information management: Long-term storage as well as analysis and reporting of log data.
- SEM Security event manager : Real-time monitoring, correlation of events, notifications and console views.
- SIEM Security information and event management : Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.
Privacy Shield
- The EU–US Privacy Shield is a framework for regulating exchanges of personal data for commercial purposes between the EU and the US
- One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect EU citizens
- The EU–US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles (declared invalid 2015)
- On the US side Privacy Shield is enforced by the FTC
Non-EU companies can also use a contractual relationship for processing personal data from the EU.
Virtualization
- Hypervisor Type-1 : Bare metal (Hardware / Ring 0)
- Hypervisor Type-2 : Paravirtualizard (Software / Ring 2)
Review
Levels
Levels | One is | High is | |
---|---|---|---|
CSA STAR | 3 | LOW | Continuous, automated 3rd party monitoring |
ISO 22237 | 4 | LOW | Demonstrate need for access |
PCI-DSS | 4 | HIGH | 6M+ transactions/year |
FIPS 140-2 | 4 | LOW | Tamper-responsive |
Common Criteria | 7 | LOW | Formal - Verified Design, Tested |
Uptime Institute | 4 | LOW | Fault-tolerant site infrastructure |
Cloud Security Operations
- Understand how redundancy is implemented in the design of cloud datacenters
- Know the four tiers of datacenter redundancy published by the Uptime Institute
- Training and awareness - know which element best support training efforts
- Understand the different between DAST and SAST